Discovered 3 undefined-behaviors while testing fuzzing harnesses

[skorpion98]

Summary

Several undefined-behaviors have been found after testing one of the harnesses provided on the OSS-Fuzz repository (inchi_input_fuzzer).

During our tests we found:

1. signed integer-overflow in function ParseSegmentMobileH() (INCHI_BASE/src/ichiread.c:8890)
2. signed integer-overflow in function ParseSegmentSp2() (INCHI_BASE/src/ichiread.c:6949)
3. left-shift cannot be represented in function Canon_INChI3() (INCHI_BASE/src/ichicano.c:132)

Steps to reproduce

In the following archive, you will find

• the executable on which we performed our tests
• a directory bugs containing the several inputs that caused the aforementioned bugs and their respective UBSan logs, enumerated as the list above

To reproduce the errors, simply run the given binary with the testcase files with a command like ./inchi_input_fuzzer /path_to_testcases/input

The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=undefined.

The hash commit used to perform the tests is 8477339.

Environment

• OS: Linux
• Version/Distribution: Ubuntu 20.04
• Architecture: x86_64

[djb-rwth]

Hi @skorpion98,
Thank you for creating this issue.
All the above mentioned bugs/vulnerabilities along with the newly opened Google oss-fuzz issues will be addressed in forthcoming version(s) of InChI.

BTW, we have started using AFL++ on Ubuntu 22.04 LTS only recently, but please feel free to track down any bug/security issue which might have been overlooked at our end.

[djb-rwth]

Hi @skorpion98,
The above stated issues have been addressed in InChI v1.07.2, which has now been uploaded to rwth branch.
Please feel free to let me know if you have any further suggestions.